Topics

Featured in Development

Alex Bradbury gives an overview of the status and development of RISC-V as it relates to modern operating systems, highlighting major research strands, controversies, and opportunities to get involved.

Featured in Architecture & Design

Will Jones talks about how Habito, the leading digital mortgage broker, benefited from using Haskell, some of the wins and trade-offs that have brought it to where it is today and where it's going next. He also talks about why functional programming is beneficial for large projects, and how it helps especially with migrating the data store.

Featured in AI, ML & Data Engineering

Katharine Jarmul discusses research related to fair-and-private ML algorithms and privacy-preserving models, showing that caring about privacy can help ensure a better model overall and support ethics.

Featured in Culture & Methods

This personal experience report shows that political in-house games and bad corporate culture are not only annoying and a waste of time, but also harm a lot of initiatives for improvement. Whenever we become aware of the blame game, we should address it! DevOps wants to deliver high quality. The willingness to make things better - products, processes, collaboration, and more - is vital.

Featured in DevOps

Service mesh architectures enable a control and observability loop. At the moment, service mesh implementations vary in regard to API and technology, and this shows no signs of slowing down. Building on top of volatile APIs can be hazardous. Here we suggest to use a simplified, workflow-friendly API to shield organization platform code from specific service-mesh implementation details.

AWS PrivateLink is a networking technology aimed to facilitate access to AWS services in a highly scalable and available way, while keeping all the network traffic within the AWS network. Without this technology, Amazon EC2 instances need to route traffic via the public internet to download Docker images stored in ECR or communicate to the ECS control plane.

With PrivateLink support, Amazon EC2 instances can privately obtain these images from Amazon ECR through both private as well as public subnets. The instances can also communicate with the ECS control plane via AWS PrivateLink endpoints, removing the need for use of an internet gateway or NAT gateway. Finally, by not traversing the internet the exposure to threats such as distributed denial-of-service and brute force attacks are minimized.

In the blog post, Nathan Peck, developer for container services at AWS, stated that the networking architecture with AWS PrivateLink becomes considerably more straightforward. Furthermore, he wrote:

It enables enhanced security by allowing you to deny your private EC2 instances access to anything other than these AWS services. That’s assuming that you want to block all other outbound internet access for those instances.

To implement this network architecture, customers will need to create several AWS PrivateLink resources:

Next, for the creation of the ECR endpoints, users will also need to create a gateway VPC endpoint for S3, for ECR to store the Docker images layers. By selecting "com.amazonaws.region.s3" on the list of AWS services and by choosing the VPC hosting, the ECS cluster users can add the S3 gateway endpoint. Lastly, users can create the AWS PrivateLink interface endpoint for ECS by creating three interface endpoints in the same way as for ECR. These endpoints are:

com.amazonaws.region.ecs-agent

com.amazonaws.region.ecs-telemetry

com.amazonaws.region.ecs

With these AWS PrivateLink resources, all container orchestration traffic stays inside the VPC, and the instances in the ECS cluster can communicate directly with the ECS control plane. Furthermore, the instances can download Docker Images directly without needing to make any connections outside of your VPC using an internet gateway or NAT gateway. The latter, according to Reddit post on an Amazon ECR PrivateLink question, saves costs:

6-7TB through a NAT Gateway would be ~32.85/mo for connecting hours, plus $270 for data transfer ($0.045/GB processed, assuming ECR in the same region). PrivateLink would be 1/4 that. $7.30/mo for connecting hours and $60-70 for 6-7TB processed.